Method and apparatus to perform squaring operation in finite field

ABSTRACT

A method and apparatus to square an element A when a defining polynomial of a finite field GF(2 n ) is expressed as  
           f   ⁡     (   x   )       =       x   n     +       ∑     i   =   1     i     ⁢           ⁢     x     k   1         +   1       ,       
 
and the element A contained in the finite field is expressed as A−(a 0 ,a 1 ,a 2  . . . ,a n−1 )∈GF( 2   n ). The method determines coefficients m i , I ij , V 0 , V ij , and V such that the coefficient mi satisfies a predetermined condition with respect to k i  when  1≦ i≦t is a natural number, I ij  depends on n, k i , and j when  2≦j≦m   i , V 0  and V ij  of n bits, respectively, depend on n, I ij , and k i , and obtains the coefficient V with respect to m i  according to the following formula  
                 V   i     =       ⁢       V   i2     ⊕     V   i3     ⊕   …   ⊕     V   im         ,               V   =       ⁢       V   0     ⊕       ∑       m   1     ≠   0       ⁢           ⁢     V   i                   
 
determines a coefficient s i  according to k i  and n and cyclically shifts the coefficient V by s i ; performing an XOR operation on the cyclically shifted coefficient V and the element A; and rewires a result of the XOR operation in a predetermined order and outputs results of the squaring.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of Korean Patent Application Nos.2003-38684, filed on Jun. 16, 2003 and 2003-77329, filed on Nov. 3,2003, in the Korean Intellectual Property Office, the disclosures ofwhich are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a method and apparatus to perform asquaring operation in a finite field.

2. Description of the Related Art

A finite field GF(2^(n)) is a number system containing 2^(n) elements.Based on the fact that each element of the finite field GF(2^(n)) can berepresented by n bits, practical applications of the finite field can beaccomplished. Practical applications, such as hardware implementation oferror correction codes and elliptic curve cryptosystems, frequentlyperform calculations in GF(2^(n)). An apparatus for encoding/decodingReed-Solomon codes performs calculations in GF(2^(n)), and anencryption/decryption apparatus of an elliptic curve cryptosystemperforms calculations in GF(2^(n)) where “n” is a large value.

The addition and multiplication rules of GF(2), which contain onlybinary numbers 0 and 1, are defined by Formula (1).0+0=1+1=00+1=1+0=10×0=1×0=0×1=01×1=1

Here, binary addition is a bitwise exclusive OR (referred to as XORhereinafter) operation, and binary multiplication is a bitwise AND(referred to as AND hereinafter) operation.

Since the finite field GF(2^(n)) (n>1) is a number system containing2^(n) elements, addition and multiplication correspond to arithmeticmodulo of an irreducible n-degree polynomial having coefficients inGF(2). The irreducible n-degree polynomial is referred to as a definingpolynomial of the finite field. When a root of the defining polynomialis α, an element of the finite field has a standard representation givenby Formula (2).a ₀ +a ₁ a+a ₂ a ² + . . . +a _(n−1) a ^(n−1)=(a ₀ ,a ₁ ,a ₂ , . . . , a_(n−1)), a _(i) ∈GF(2)   (2)

Multiplication of two elements in the finite field GF(2^(n)) is given bypolynomial multiplication of a and then modulo operation by the definingpolynomial. Addition of two elements of the finite field GF(2n) isperformed by polynomial addition of α.

Assume that the defining polynomial of the finite field GF(2^(n)) isexpressed as shown in Formula (3) and α is a root of the definingpolynomial. $\begin{matrix}{{f(x)} = {x^{n} + {\sum\limits_{i = 1}^{t}\quad x^{k_{1}}} + 1}} & (3)\end{matrix}$where n is an arbitrary natural number, 0<t, and k_(i)<n.

If an element A of the finite field is expressed as A=(a₀,a₁,a₂, . . .,a_(n−1))∈GF(2^(n)), the square of the element A is determined bypolynomial multiplication of a and then modulo operation by thepolynomial f(α).A ²≡(a ₀ +a ₁ a+a ₂ a ² + . . . +a _(n−1) a ^(n−1))² mod f(a)   (4)

Conventional techniques of performing a squaring operation as shown inFormula (4) will be explained below. Here, the size of hardware, namely,the number of gates, serves as a measure for area complexity, and gatedelays of the hardware serve as a measure for time complexity.Cryptographic standards, such as SEC and ANSI X9.62, define coefficientsnecessary for the elliptic curve cryptosystems and recommend severalcoefficients in the finite field. The two standards are most widely usedto determine coefficients in the finite field. Accordingly, the twostandards are used as criteria in deciding wide applicability of therespective techniques. Here, n represents the dimension of the finitefield.

The invention by H. Wu entitled “Bit-parallel finite field multiplierand squarer using polynomial basis (IEEE Transactions on Computers, Vol.51, No.7, pp. 750-758, 2002)” discloses an arrangement of squaringresults for values of n and k when a defining polynomial is a trinomialgiven by x^(n)+x^(k)+1. Since the formula adopted by the Wu's inventionis optimized, high efficiency in area and time complexity can beachieved. But, Wu's invention does not cover the case when the definingpolynomial is a pentanomial.

The invention by C. H. Kim et al. entitled “A new hardware architecturefor operations in GF(2^(n)) (IEEE Transactions on Computers, Vol. 51,No.1, pp. 90-92, 2002)” discloses that when n+1 is a prime number,2∈Z_(n+1) is a primitive element in GF(2^(n)), an anomalous basis isused, and a defining polynomial is an all-one polynomial (AOP), squaringcan be achieved by rewiring, where rewiring means redefiningrelationships among elements and/or inserting new elements into amatrix. But, the pertinent n and the defining polynomial for Kim'sinvention are not found in the standards.

The invention by K. Aoki et al. entitled “Scheme for arithmeticoperations in finite field and group operations over elliptic curvesrealizing improved computational speed (U.S. Pat. Nos. 6,266,688 and6,202,076, 2001)” discloses that when n is even and the finite fieldGF(2^(n)) meets a condition of GF(2)<GF(2^(n/2))<GF(2^(n)), arithmeticoperations in the finite field GF(2^(n)) can be performed usingarithmetic operations in the finite field GF(2n/2), and suggests asquare calculation device using the scheme. But when using the Aokidevice, a way of representing the finite field is different from that inthe standards, resulting in poor compatibility. Further, since most of“n”s in the standards are odd, the invention by K. Aoki et al. is rarelyapplicable.

The invention by Lambert et al. entitled “Method and apparatus forimplementing arithmetical operations in finite fields (EU Pat.No.1,076,284 A1, 2001)” performs a squaring operation using a cyclicbasis. The cyclic basis is 1,a^(Δ),a^(2Δ),a^(3Δ), . . . ,a^((m−1)Δ)where Δ, the smallest divisor of 2n−1, satisfies m=(2^(n)−1)/Δ≧n, Δ≧n.In this case, the squaring operation is implemented by rewiring. But theinvention requires basis conversion, which is very complex since thefactor Δ satisfying the above condition is fairly large.

The invention by G. Orlando et al. entitled “Squaring architecture forGF(2n) and its application in cryptographic systems (ElectronicsLetters, Vol. 36, No.13, pp.1116-1117, 2000)” discloses a method ofdividing an element according to predetermined fundamentals andinputting the divided element to a multiplier. The squaring architectureincludes 3.5 n gates as well as the multiplier. Accordingly, theinvention by G. Orlando et al. is less efficient than the invention byH. Wu employing approximately n/2 gates.

The invention by C. C. Wang et al. entitled “VLSI architectures forcomputing multiplications and inverses in GF(2m) (IEEE Transactions onComputers, Vol. C-34, No. 8, pp. 709-717, 1985)” utilizes a normal basissuch that a squaring operation is implemented by rewiring. But basisconversion required by the invention is very complex.

Accordingly, there is a demand for a method and apparatus for performinga squaring operation that does not require complex basis conversion andhas low area and time complexity.

SUMMARY OF THE INVENTION

The present invention provides a method and apparatus to perform asquaring operation in a finite field by defining coefficients necessaryfor the squaring operation using a defining polynomial of the finitefield, performing exclusive OR (referred to as XOR hereinafter)operations on the defined coefficients, and rewiring results of the XORoperation.

According to an aspect of the present invention, there is provided amethod to perform a squaring operation on an element A when a definingpolynomial of a finite field GF(2^(n)) is expressed as${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{t}\quad x^{k_{1}}} + 1}$where n is odd, and the element A contained in the finite field isexpressed as A=(a₀,a₁,a₂, . . . ,a_(n−1))∈GF(2^(n)), the methodcomprising: determining predefined coefficients m_(i), I_(ij), V₀,V_(ij), and V, such that the coefficient m_(i) satisfies a predeterminedcondition with respect to k_(i) when 0≦i≦t is a natural number, thecoefficient I_(ij) depends on n, k_(i), and j when 2≦j≦m_(i), thecoefficients V₀ and V_(ij) of n bits, respectively, depend on n, I_(ij),and k_(i), and obtaining the coefficient V with respect to m_(i)according to the following formula; $\begin{matrix}{{V_{i} = {V_{i2} \oplus V_{i3} \oplus \ldots \oplus V_{im}}},} \\{V = {V_{0} \oplus {\sum\limits_{m_{1} \neq 0}\quad V_{i}}}}\end{matrix};$determining a predefined coefficient s_(i) according to k_(i) and n andcyclically shifting the coefficient V by s_(i); performing XORoperations on the cyclically shifted coefficient V and the element A;and rewiring a result of the XOR operations in a predefined order andoutputting results of the squaring operation.

According to another aspect of the present invention, there is providedan apparatus to perform a squaring operation on an element A when adefining polynomial of a finite field GF(2^(n)) is expressed as${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{t}\quad x^{k_{1}}} + 1}$where n is odd, and the element A of the finite field is expressed asA=(a₀,a₁,a₂, . . . ,a_(n−1))∈GF(2^(n)), the apparatus comprising: acoefficient calculating unit, which calculates coefficients necessaryfor the squaring operation by: determining predefined coefficientsm_(i), I_(ij), V₀, V_(i), and V such that the coefficient ml satisfies apredetermined condition with respect to k_(i) when 0≦i≦t is a naturalnumber, the coefficient I_(ij) depends on n, k_(i), and j when2≦j≦m_(i), the coefficients V₀ and V_(ij) of n bits, respectively,depend on n, I_(ij), and k_(i), and obtaining the coefficient V withrespect to m_(i) according to the following formula; $\begin{matrix}{{V_{i} = {V_{i2} \oplus V_{i3} \oplus \ldots \oplus V_{im}}},} \\{V = {V_{0} \oplus {\sum\limits_{m_{1} \neq 0}\quad V_{i}}}}\end{matrix};$and determining a predefined coefficient s_(i) according to k_(i) and nand cyclically shifting the coefficient V by s_(i); an XOR operatingunit, which includes a plurality of XOR gates and performs XORoperations on input A according to results of the calculated coefficientunit; and a rewiring unit, which rewires outputs of the XOR operatingunit in a predefined order and outputs final results of the squaringoperation.

According to still another aspect of the present invention, there isprovided a method to perform a squaring operation on an element A when adefining polynomial of a finite field GF(2^(n)) is expressed as${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{t}\quad x^{k_{1}}} + 1}$where n is even, and the element A of the finite field is expressed asA=(a₀,a₁,a₂, . . . ,a_(n−1))∈GF(2^(n)), the method comprising:determining predefined coefficients m_(i), I_(ij), V₀, V_(ij), and V,such that the coefficient m_(i) satisfies a predetermined condition withrespect to k_(i) when 1≦i≦t is a natural number, the coefficient I_(ij)depends on n, k_(i), and j when 2≦j≦m_(i), the coefficients V₀ andV_(ij) of n bits, respectively, depend on n, I_(ij), and k_(i), andobtaining the coefficient V with respect to m_(i) according to thefollowing formula; $\begin{matrix}{{V_{i} = {V_{i2} \oplus V_{i3} \oplus \ldots \oplus V_{im}}},} \\{V = {V_{0} \oplus {\sum\limits_{m_{1} \neq 1}\quad V_{i}}}}\end{matrix};$determining a predefined coefficient s_(i) according to k_(i) and n andcyclically shifting the coefficient V by s_(i) according to apredetermined formula; obtaining an element {overscore (A)} from theelement A and performing XOR operations on the cyclically shiftedcoefficient V with the element {overscore (A)}; and rewiring a result ofthe XOR operations in a predefined order and outputting results of thesquaring operation.

According to yet another aspect of the present invention, there isprovided an apparatus to perform a squaring operation on an element Awhen a defining polynomial of a finite field GF(2^(n)) is expressed as${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{t}\quad x^{k_{1}}} + 1}$where n is even, and the element A of the finite field is expressed asA=(a₀,a₁,a₂, . . . ,a_(n−1))∈GF(2^(n)), the apparatus comprising: acoefficient calculating unit, which calculates coefficients necessaryfor the squaring operation by: determining predefined coefficientsm_(i), I_(ij), V₀, V_(ij), and V such that the coefficient m_(i)satisfies a predetermined condition with respect to k_(i) when 1≦i≦t isa natural number, the coefficient I_(ij) depends on n, k_(i), and j when2≦j≦m_(i), the coefficients V₀ and V_(ij) of n bits, respectively,depend on n, I_(ij), and k_(i), and obtaining the coefficient V withrespect to m_(i) according to the following formula; andV_(i) = V_(i2) ⊕ V_(i3) ⊕ ⋯ ⊕ V_(im_(i))$V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 0}V_{i}}}$determining a predetermined coefficient s_(i) according to k_(i) and nand cyclically shifting the coefficient V by s_(i) according to apredetermined formula; an XOR operating unit, which includes a pluralityof XOR gates, and which obtains an element {overscore (A)} from theinput element A according to a second predetermined formula, andperforms XOR operations on results of the cyclic shift operationreceived from the coefficient calculating unit with the element{overscore (A)}; and a rewiring unit, which rewires an output of the XORoperating unit and outputs final results of the squaring operation.

Additional aspects and/or advantages of the invention will be set forthin part in the description which follows, and in part, will be obviousfrom the description, or may be learned by practice of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

These and/or other aspects and advantages of the invention will becomeapparent and more readily appreciated from the following description ofthe embodiments, taken in conjunction with the accompanying drawings ofwhich:

FIG. 1 is a block diagram of an apparatus to perform a squaringoperation in a finite field according to a first embodiment of thepresent invention;

FIG. 2 illustrates an implementation result of Formula (23) using aplurality of exclusive OR gates and a rewiring unit;

FIG. 3 illustrates an implementation result of Formula (27) using aplurality of XOR gates and a rewiring unit;

FIG. 4 illustrates a result obtained after reducing a number of the XORgates of FIG. 3;

FIG. 5 is a block diagram of an apparatus to perform a squaringoperation in a finite field according to a second embodiment of thepresent invention;

FIG. 6 illustrates an implementation result of Formula (42) using aplurality of XOR gates and a rewiring unit;

FIG. 7 is a table illustrating a comparison of area and time complexitybetween the conventional art and embodiments of the present invention;

FIG. 8 is a table illustrating a comparison of area and time complexityin three finite fields defined by SEC standards between the conventionalart and an embodiment of the present invention; and

FIG. 9 is a table illustrating a comparison of applicability to thestandards, basis conversion, and problem between the conventional artand an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Reference will now be made in detail to the embodiments of the presentinvention, examples of which are illustrated in the accompanyingdrawings, wherein like reference numerals refer to the like elementsthroughout. The embodiments are described below to explain the presentinvention by referring to the figures.

FIG. 1 is a block diagram of an apparatus to perform a squaringoperation in a finite field GF(2^(n)) according to a first embodiment ofthe present invention when n is odd. Referring to FIG. 1, the apparatusincludes a coefficient calculating unit 10, an XOR operating unit 12,and a rewiring unit 14.

The coefficient calculating unit 10 calculates coefficients necessaryfor the squaring operation of a defining polynomial. The XOR operatingunit 12 performs XOR operations on coefficients output from thecoefficient calculating unit 10. The rewiring unit 14 rewires outputs ofthe XOR operating unit 12 and outputs final coefficients of the squaringoperation.

The operation of the apparatus to perform the squaring operation when nis odd will now be explained in further detail.

Assume that the defining polynomial of GF(2^(n)) is defined by Formula(5). $\begin{matrix}{{f(x)} = {x^{n} + {\sum\limits_{i = 1}^{t}x^{k_{i}}} + 1}} & (5)\end{matrix}$

If an element A of the finite field is expressed as A=(a₀,a₁,a₂, . . .,a_(n−1))∈GF(2^(n)), the square A² of the element A may be expressed byFormula (6). $\begin{matrix}\begin{matrix}{A^{2} \equiv {\left( {a_{0} + {a_{1}\alpha} + {a_{2}\alpha^{2}} + \cdots + {a_{n - 1}\alpha^{n - 1}}} \right)^{2}{mod}\quad{f(\alpha)}}} \\{= {c_{0}c_{1}c_{2}\quad\cdots\quad c_{n - 1}}} \\{= C}\end{matrix} & (6)\end{matrix}$

The square A² directs to a vector C, which also belongs to GF(2^(n)).

In Formula (5), x^(n)+1 and $\sum\limits_{i = 1}^{t}x^{k_{i}}$add up to the defining polynomial f(x), and area and time complexity ofa multiplier are determined by n, t, and k_(i).

Coefficients m_(i), I_(ij), I, V₀, V_(ij), and V, necessary forobtaining the components of the vector C, are defined as follows.

If k_(i)=1 for i=1,2, . . . ,t, the coefficient m_(i)=0.

If k_(i) satisfies the following Formula (7) $\begin{matrix}{\frac{{\left( {r - 2} \right)n} + 1}{r - 1} < k_{i} \leq \frac{{\left( {r - 1} \right)n} + 1}{r}} & (7)\end{matrix}$where r≧2 is an integer, it is defined that the coefficient m_(i)=r.When m_(i) is not 0, the coefficient I_(ij) (i=1,2, . . . ,t, and j=2,3,. . . , m_(i)) is defined by Formula (8). $\begin{matrix}{I_{ij} = {\frac{n - 1}{2} - \left\lfloor {\left( {j - 1} \right)\frac{n - k_{i}}{2}} \right\rfloor}} & (8)\end{matrix}$

If k_(i) is even, the coefficient I is defined by Formula (9).I=max{I _(i2) |k _(i): even}   (9)

If k_(i) is not even, the coefficient I=0.

The coefficient V₀ is defined by Formula (10). $\begin{matrix}{V_{0} = \underset{\underset{n\quad{bits}}{︸}}{a_{\frac{n + 1}{2}}a_{\frac{n + 3}{2}}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}} & (10)\end{matrix}$

The coefficient V_(ij) is defined as follows when m_(i)≠0. Both whenk_(i) is odd and when k_(i) is even and j is odd, the coefficient V_(ij)is defined by Formula (11). $\begin{matrix}{V_{ij} = \underset{\underset{n\quad{bits}}{︸}}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}} & (11)\end{matrix}$

When both k_(i) and j are even, the coefficient V_(ij) is defined byFormula (12). $\begin{matrix}{V_{ij} = {\underset{\underset{\frac{n - 1}{2}{bits}}{︸}}{0\quad\cdots\quad 0}\quad\underset{\underset{\frac{n + 1}{2}{bits}}{︸}}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}}} & (12)\end{matrix}$

The coefficient calculating unit 10 obtains the coefficients V_(i) and Vfrom the already obtained coefficients by Formula (13). $\begin{matrix}{{V_{i} = {V_{i2} \oplus V_{i3} \oplus \cdots \oplus V_{{im}_{i}}}}{V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 0}V_{i}}}}} & (13)\end{matrix}$

Next, a coefficient s_(i) dependent on k_(i) (i=1,2, . . . ,t) isdefined by Formula (14). $\begin{matrix}{s_{i} = \left\{ \begin{matrix}\frac{k_{i} + 1}{2} & {{k_{i}\text{:}{odd}},} \\\frac{k_{i} + 1 + n}{2} & {k_{i}\text{:}{even}}\end{matrix} \right.} & (14)\end{matrix}$

A cyclic shift operation is performed on the coefficient V forrespective s_(i) through s_(t) obtained from Formula (14), XORoperations are performed on results of the cyclic shift operation, andone more XOR operation is performed with the element A. A result C′ ofthe XOR operations may be expressed by Formula (15).C′=A⊕(V>>s ₁)⊕ . . . ⊕(V>>s _(t))   (15)

The result C′ obtained from Formula (15) is represented as an XORoperation formula on the element A. The XOR operating unit 12 performsthe XOR operation according to Formula (15).

If the result C′ obtained from Formula (15) is expressed as C′=c₀′c₁′ .. . c_(n−1)′, c_(i) of the square A²=c₀ c ₁′ . . . c_(n−1) is obtainedfrom the result C′ by Formula (16)c _(i) =c _(j)′(i ≡2j mod n)   (16)

The rewiring unit 14 rewires the results obtained from Formula (15)according to Formula (16) and outputs final results of the squaringoperation.

The area and time complexity of the apparatus constructed as above arecalculated as follows. The apparatus according to the first embodimentperforms only XOR operations. The number of times the XOR operations areperformed is given by Formula (17). $\begin{matrix}{\underset{\underset{{step}\quad 1}{︸}}{{- l} + {\sum\limits_{m_{i} \neq 0}l_{i2}} + l_{i3} + \cdots + l_{{im}_{i}}} \geq {{+ \underset{\underset{{step}\quad 2}{︸}}{t\left( {\frac{n - 1}{2} + l} \right)}} + \underset{\underset{{step}\quad 3}{︸}}{0}}} & (17)\end{matrix}$

Since the third operation only requires the rewiring operation, no XORoperations are performed in the third operation. In particular, whent=1, that is, when the defining polynomial is a trinomial, if k₁satisfies Formula (18), $\begin{matrix}{1 < k_{1} \leq \frac{n + 1}{2}} & (18)\end{matrix}$then the number of XOR operations performed is given by Formula (19).$\begin{matrix}\left\{ \begin{matrix}{\frac{k_{1} - 1}{\underset{\underset{{step}\quad 1}{︸}}{2}} + \frac{n - 1}{\underset{\underset{{step}\quad 2}{︸}}{2}}} & {{k_{1}\text{:odd}},} \\{\underset{\underset{{step}\quad 1}{︸}}{0} + \underset{\underset{{step}\quad 2}{︸}}{\frac{n - 1}{2} + \frac{k_{1}}{2}}} & {k_{1}\text{:even}}\end{matrix} \right. & (19)\end{matrix}$

It is difficult to explain the time complexity of the apparatus exactly.Thus, a case of the worst time complexity can be explained. Since thesquaring apparatus according to the first preferred embodiment of thepresent invention employs only XOR gates, gate delays can serve as ameasure of the time complexity. The maximum delay due to the XOR gatesis determined by Formula (20). $\begin{matrix}\left\lceil {\log_{2}\left( {1 + t + {\sum\limits_{m_{i} \neq 0}\left( {m_{i} - 1} \right)}} \right)} \right\rceil & (20)\end{matrix}$

Particularly, when t=1 and k_(i) satisfies Formula (18), an XOR gatedelay is expressed by Formula (21). $\begin{matrix}\left\{ \begin{matrix}2 & {{k_{1}\text{:odd}},} \\1 & {k_{1}\text{:even}}\end{matrix} \right. & (21)\end{matrix}$

As an example, calculation results of the coefficients and thecomplexity will now be explained when n=11, in the first embodiment.When the defining polynomial is expressed as X¹¹+X²+1, t=1 and k₁=2.Coefficients necessary for the squaring operation are determined fromthe n, t, and k_(i) as follows. According to Formulae (7) through (11),m₁=2, I₁₂=1, I=1, V₀=a₆a₇a₈a₉a₁₀000000, and V₁₂=00000a₁₀00000. Using thecoefficients m₁, I₁₂, I, V₀, and V₁₂, V₁=00000a₁₀00000 andV=a₆a₇a₈a₉a₁₀a₁₀00000 are obtained according to Formula (13).

The coefficient s₁ is determined as s₁=7 according to Formula (14).According to Formula (15), the vector C′ is determined by Formula (22).$\begin{matrix}{C^{\prime} = {A \oplus \left( {V ⪢ 7} \right)}} \\{= {A \oplus {a_{10}a_{10}00000a_{6}a_{7}a_{8}a_{9}}}} \\{= {\left( {a_{0} \oplus a_{10}} \right)\left( {a_{1} \oplus a_{10}} \right)a_{2}a_{3}a_{4}a_{5}{a_{6}\left( {a_{7} \oplus a_{6}} \right)}}} \\{\left( {a_{8} \oplus a_{7}} \right)\left( {a_{9} \oplus a_{8}} \right)\left( {a_{10} \oplus a_{9}} \right)}\end{matrix}$

If the rewiring operation with respect to C′ is implemented according toFormula (14), the square A²=c₀c₁c₂ . . . c₉c₁₀ is obtained by Formula(23).A²=(a ₀ ⊕a ₁₀)a ₆(a ₁ ⊕a ₁₀)(a ₇ ⊕a ₆)a ₂(a ₈ ⊕a ₇)a ₃(a ₉ ⊕a ₈)a ₄(a ₁₀⊕a ₉)a ₅   (23)

FIG. 2 illustrates an implementation result of Formula (23) obtainedusing a plurality of XOR gates 21 and a rewiring unit 22.

Referring to FIG. 2, the squaring apparatus includes six XOR gatescontributing to area complexity, and has one gate delay contributing totime complexity.

For another example, the case where the defining polynomial isx¹¹+x⁴+x²+x+1 will now be explained. According to the definingpolynomial, t=3, k₁=1, k₂=2, and k₃=4.

Coefficients obtained from t, k₁, k₂, and k₃ are expressed by Formula(24).m₁=0, m₂=m₃=2l₂₂=1, l₃₂=2l=2V₀=a₆a₇a₈a₉a₁₀000000V₂₂=00000a₁₀00000, V₃₂=00000a₉a₁₀0000   (24)

From the coefficients of Formula (24), V₂=00000a₁₀00000 andV₃=00000a₉a₁₀0000 are obtained. The coefficient V is determined byFormula (25).V=a ₆ a ₇ a ₈ a ₉(a ₁₀ ⊕a ₉)a ₁₀00000   (25)

According to Formula (14), it is determined that s_(i)=1, s₂=7, ands₃=8. Accordingly, vector C′ is determined by Formula (26).$\begin{matrix}\begin{matrix}{C^{\prime} = {A \oplus \left( {V ⪢ 1} \right) \oplus \left( {V ⪢ 7} \right) \oplus \left( {V ⪢ 8} \right)}} \\{= {\left( {a_{0} \oplus a_{9} \oplus a_{10}} \right)\left( {a_{1} \oplus a_{6} \oplus a_{10} \oplus a_{9} \oplus a_{10}} \right)}} \\{\left( {a_{2} \oplus a_{7} \oplus a_{9} \oplus a_{10} \oplus a_{10}} \right)\left( {a_{3} \oplus a_{8} \oplus a_{10}} \right)} \\{\left( {a_{4} \oplus a_{9}} \right)\left( {a_{5} \oplus a_{10}} \right)\left( {a_{6} \oplus a_{9} \oplus a_{10}} \right)\left( {a_{7} \oplus a_{6} \oplus a_{10}} \right)} \\{\left( {a_{8} \oplus a_{6} \oplus a_{7}} \right)\left( {a_{9} \oplus a_{7} \oplus a_{8}} \right)\left( {a_{10} \oplus a_{8} \oplus a_{9}} \right)}\end{matrix} & (26)\end{matrix}$

If rewiring is performed according to Formula (16), the vector C (inother words, A²) is obtained by Formula (27).A ²=(a ₀ ⊕a ₉ ⊕a ₁₀)(a ₆ ⊕a ₉ ⊕a ₁₀)(a ₁ ⊕a ₆ ⊕a ₁₀⊕a₉ ⊕a ₁₀)(a ₁ ⊕a ₆⊕a ₁₀)(a ₂ ⊕a ₇ ⊕a ₉ ⊕a ₁₀ ⊕a ₁₀)(a ₈ ⊕a ₆ ⊕a ₇)(a ₃ ⊕a ₈ ⊕a ₁₀)(a ₉ ⊕a₇ ⊕a ₈)(a ₄ ⊕a ₉)(a ₁₀ ⊕a ₈ ⊕a ₉)(a ₅ ⊕a ₁₀)   (27)

FIG. 3 illustrates an implementation result of Formula (27) using aplurality of XOR gates 31 and a rewiring unit 32. FIG. 4 illustrates aresult obtained with a reduced number of XOR gates 41. For example,since a₁₀⊕a₁₀=0 in a₁⊕a₆⊕a₁₀⊕a⁹⊕a₁₀ corresponding to c₂ of the vector Cof Formula (27), only a₁⊕a₆⊕a₉ needs to be performed. Accordingly, thenumber of the XOR gates can be reduced. For another example, whenc₃=a₈⊕a₆⊕a₇, if a₇⊕a₆, which also exists in c₃=a₇⊕a₆⊕a₁₀, is reused, thenumber of the XOR gates used in calculating c₅ can be further reduced.FIG. 4 illustrates results obtained after reducing the number of the XORgates 41 in the aforesaid manner.

FIG. 5 is a block diagram of an apparatus to perform a squaringoperation in a finite field GF(2^(n)) according to a second embodimentof the present invention when n is even. The apparatus according to thesecond embodiment includes a coefficient calculating unit 50, an XORoperating unit 52, and a rewiring unit 54.

The coefficient calculating unit 50 calculates coefficients necessaryfor the squaring operation using a defining polynomial. The XORoperating unit 52 performs XOR operations on coefficients output fromthe coefficient calculating unit 50. The rewiring unit 54 rewires theoutputs of the XOR operating unit 52 and outputs final results of thesquaring operation.

The operation of the apparatus of the second embodiment will now beexplained in further detail.

If the defining polynomial of GF(2^(n)) where n is even is defined byFormula (5) in the same manner as where n is odd, when an element Acontained in the finite field is expressed as A=(a₀,a₁,a₂, . . .,a_(n−1))∈GF(2^(n)), the square A² of the element A may be expressed byFormula (6). The result C of the squaring operation in Formula (6) isalso contained in GF(2^(n)).

Coefficients m_(i), I_(ij), I, V₀, V_(ij), and V necessary for obtainingcomponents of the vector C are defined as the follows.

If k_(i)=1 (i=1,2, . . . ,t), then it is set that m_(i)=1.

If k_(i) satisfies Formula (28) $\begin{matrix}{\frac{{\left( {r - 2} \right)n} + 1}{r - 1} < k_{i} \leq \frac{{\left( {r - 1} \right)n} + 1}{r}} & (28)\end{matrix}$when an integer r≧2, then the coefficient m_(i) is defined to be r. Whenm_(i)≠1 (i=1,2, . . . , t), the coefficient I_(ij) (j=2,3, . . . ,m_(i))is defined by Formula (29). $\begin{matrix}{l_{ij} = {\frac{n}{2} - {\left( {j - 1} \right)\frac{n}{2}} + {\left\lfloor {\left( {j - 1} \right)\frac{k_{i}}{2}} \right\rfloor T}}} & (29)\end{matrix}$

The coefficient V₀ is defined by Formula (30). $\begin{matrix}{V_{0} = \underset{\underset{n\quad{bits}}{︸}}{a_{n - \frac{n}{2}}a_{n - \frac{n}{2} + 1}\cdots\quad a_{n - 1}00{\cdots 0}}} & (30)\end{matrix}$

When m_(i)≠1 (i=1,2, . . . ,t) and k_(i) is even, or when m_(i)≠1 andboth k_(i) and j are odd, then the coefficient V_(ij) (j=2,3, . . .,m_(i)) is defined by Formula (31). $\begin{matrix}{V_{ij} = \underset{\underset{n\quad{bits}}{︸}}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\cdots\quad a_{n - 1}00{\cdots 0}}} & (31)\end{matrix}$

On the other hand, when m_(i)≠1, k_(i) is odd, and j is even, then thecoefficient V_(ij) is defined by Formula (32). $\begin{matrix}{V_{ij} = {\underset{\underset{\frac{n}{2}\quad{bits}}{︸}}{0{\cdots 0}}\underset{\underset{\frac{n}{2}\quad{bits}}{︸}}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\cdots\quad a_{n - 1}00{\cdots 0}}}} & (32)\end{matrix}$

The coefficient calculating unit 50 outputs final calculation resultsrepresented by Formula (33), obtained from the coefficients m_(i), V₀,and V_(ij) when m_(i)≠1. $\begin{matrix}\begin{matrix}{V_{i} = {V_{i2} \oplus V_{i3} \oplus \cdots \oplus V_{{im}_{i}}}} \\{V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 1}^{\quad}\quad V_{i}}}}\end{matrix} & (33)\end{matrix}$

A coefficient s_(i) dependent on k_(i) (i=1,2, . . . ,t) is defined byFormula (34). $\begin{matrix}{s_{i} = \left\{ \begin{matrix}{\frac{n + k_{i} - 1}{2}\quad} & {{k_{i}\text{:}\quad{odd}},} \\\frac{k_{i}}{2} & {k_{i}:\quad{even}}\end{matrix} \right.} & (34)\end{matrix}$

Next, an element {overscore (A)} is defined by Formula (35).$\begin{matrix}{\overset{\_}{A} = \underset{\underset{n\quad{bits}}{︸}}{\left( {a_{0} \oplus a_{\frac{n}{2}}} \right)\left( {a_{1} \oplus a_{\frac{n}{2} + 1}} \right){\cdots\left( {a_{\frac{n}{2} - 1} \oplus a_{n - 1}} \right)}0{\cdots 0}}} & (35)\end{matrix}$

A shift operation marked by {overscore (>>)} is expressed by Formula(36). $\begin{matrix}\begin{matrix}{{{{a_{0}\quad\cdots\quad a_{\frac{n}{2} - 1}a_{\frac{n}{2}}\quad\cdots\quad a_{n - 1}}\overset{\_}{}}s} =} \\{\quad\left\{ \begin{matrix}{{a_{\frac{n}{2} - s}\quad\cdots\quad a_{\frac{n}{2} - 1}a_{0}\quad\cdots\quad a_{\frac{n}{2} - s - 1}a_{n - s}\quad\cdots\quad s} \leq {\frac{n}{2} - 1}} & \quad \\{\quad{a_{n - 1}a_{\frac{n}{2}}\quad\cdots\quad a_{n - s - 1}}} & \quad \\{{a_{n - s - 1}\quad\cdots\quad a_{n - 1}a_{\frac{n}{2}}\quad\cdots\quad a_{n - s + \frac{n}{2} - 2}a_{\frac{n}{2} - s + \frac{n}{2}}\quad\cdots\quad s} \geq \frac{n}{2}} & \quad \\{\quad{a_{\frac{n}{2} - 1}a_{0}\quad\cdots\quad a_{\frac{n}{2} - s + \frac{n}{2} - 1}}} & \quad\end{matrix} \right.}\end{matrix} & (36)\end{matrix}$

The shift operation is performed on the coefficient V according toFormula (36) with respect to s_(i) through s_(t) obtained from Formula(34), XOR operations are performed on results of the shift operation,and one more XOR operations is performed with the element {overscore(A)} of Formula (35). If the result C of the XOR operations may beexpressed by Formula (37), then the result C′ obtained from Formula (37)is represented as an XOR operation formula with respect to the elementA. The XOR operating unit 52 performs the XOR operation according toFormula (37).C′={overscore (A)}⊕(V{overscore (>>)}s ₁)⊕ . . . ⊕(V{overscore (>>)}s_(t))   (37)

If the result C′ obtained from Formula (37) is expressed as C′=c₀′c₁′ .. . c_(n−1)′, c_(n−1)′, c_(i) of A²=c₀c₁ . . . c_(n−1) is obtained fromthe result C′ according to Formula (38). $\begin{matrix}{c_{i} = \left\{ \begin{matrix}c_{j}^{\prime} & \left( {{i \equiv {2j}}{,{j \leq {\frac{n}{2} - 1}}}} \right) \\c_{j}^{\prime} & \left( {{i = {{2j} - n + 1}},{j \geq \frac{n}{2}}} \right)\end{matrix} \right.} & (38)\end{matrix}$

The rewiring unit 54 rewires the results obtained from Formula (37)according to Formula (38), and outputs final results of the squaringoperation.

For example, the case where the defining polynomial is x¹⁰+x⁴+x³+x+1will be explained below. According to the defining polynomial, t=3,k₁=1, k₂=3, and k₃=4.

Coefficients obtained from the t, k₁, k₂, and k₃ are expressed byFormula (39).m₁=1, m₂=m₃=2l₂₂=1, l₃₂=2V₀=a₅a₆a₇a₈a₉00000V₂₂=00000a₉0000, V₃₂=a₈a₉00000000   (39)

According to Formula (33), V₂, V₃, and V are represented by Formula(40).V₂=00000a₉0000, V₃=a₈a₉00000000V=(a ₅ ⊕a ₈)(a ₆ ⊕a ₉)a ₇ a ₈ a ₉a₉0000   (40)

According to Formula (34), it is determined that s₁=5, s₂=6, and s₃=2.According to Formulae 35 through 37, the result C′ is determined asshown in Formula (41). $\begin{matrix}\begin{matrix}\left. {\left. {\left. {C^{\prime} = {\overset{\_}{A} \oplus {\left( V\overset{\_}{} \right.5}}} \right) \oplus {\left( V\overset{\_}{} \right.6}} \right) \oplus {\left( V\overset{\_}{} \right.2}} \right) \\{= {\left( {a_{0} \oplus a_{5} \oplus a_{8}} \right)\left( {a_{1} \oplus a_{6} \oplus a_{9} \oplus a_{9}} \right)\left( {a_{2} \oplus a_{7} \oplus a_{9} \oplus a_{5} \oplus a_{8}} \right)}} \\{\left( {a_{3} \oplus a_{8} \oplus a_{6} \oplus a_{9}} \right)\left( {a_{4} \oplus a_{9} \oplus a_{7}} \right)\left( {a_{5} \oplus a_{8} \oplus a_{9}} \right)} \\{\left( {a_{6} \oplus a_{9} \oplus a_{5} \oplus a_{8}} \right)\left( {a_{7} \oplus a_{6} \oplus a_{9} \oplus a_{9}} \right)\left( {a_{8} \oplus a_{7}} \right)\left( {a_{9} \oplus a_{8}} \right)}\end{matrix} & (41)\end{matrix}$

If the result C′ obtained from Formula (41) is rewired, the result ofthe squaring operation is obtained by Formula (42).A ²=(a ₀ ⊕a ₅ ⊕a ₈)(a ₅ ⊕a ₈ ⊕a ₉)(a ₁ ⊕a ₆ ⊕a ₉ ⊕a ₉)(a ₆ ⊕a ₉ ⊕a ₅ ⊕a₈)(a ₂ ⊕a ₁ ⊕a ₉ ⊕a ₅ ⊕a ₈)(a₇ ⊕a ₆ ⊕a ₉ ⊕a ₉)(a ₃ ⊕a ₈ ⊕a ₆ ⊕a ₉)(a ₈⊕a ₇)(a ₄ ⊕a ₉ ⊕a ₇)(a ₉ ⊕a ₈)   (42)

FIG. 6 illustrates an implementation result of Formula (42) using aplurality of XOR gates 61 and a rewiring unit 62. Referring to FIG. 6,the squaring apparatus includes twenty-five XOR gates contributing toarea complexity and has four XOR gate delays contributing to timecomplexity.

FIGS. 7 through 9 are tables illustrating comparisons between theconventional art and embodiments of the present invention. Referring toFIG. 7, the present invention considers the case where the definingpolynomial is a trinomial, that is, x^(n)+x^(k)+1 (1≦k≦n/2) in terms ofarea and time complexity. FIG. 8 is a table illustrating a comparison ofarea and time complexity, in three finite fields defined by SECstandards between the conventional art and an embodiment of the presentinvention. It is assumed that an input of the squaring apparatus followsa standard representation. FIG. 9 is a table illustrating a comparisonof applicability of standards, basis conversion, and problems betweenthe conventional art and an embodiment of the present invention. It isassumed that an input of the squaring apparatus has a standardrepresentation.

Referring to the tables, in terms of time and area complexity,embodiments of the present invention are superior, similar, or inferiorto the conventional art according to different cases. But the inventionby C. H. Kim, et al. uses a dimension and a defining polynomial that arenot found in the standards, resulting in poor compatibility, and theinvention by Lambert, et al. and the invention by C. C. Wang et al.require complex basis conversion. In general, basis conversion requiresapproximately n² gates and gate delays of approximately log₂n. If thereis no method of efficient basis conversion, the conventional inventionsare less efficient than the present invention. Further the invention byH. Wu is restricted to a trinomial as a defining polynomial, therebyhaving limitations in its application.

Even when n is even, embodiments of the present invention can be appliedto any cases given in the standards, thereby achieving wideapplicability.

As is described above, since the squaring apparatus according to anembodiment of the present invention is applicable to most cases in thestandards, it has wide applicability and efficient area and timecomplexity. Also, the squaring apparatus does not require basisconversion. In addition, since the squaring apparatus can be appliedwhen a trinomial and a pentanomial are used as the defining polynomial,it is superior to the conventional art in terms of applicability to thecases in the standards.

Although a few embodiments of the present invention have been shown anddescribed, it would be appreciated by those skilled in the art thatchanges may be made in these embodiments without departing from theprinciples and spirit of the invention, the scope of which is defined inthe claims and their equivalents.

1. A method to perform a squaring operation of an element A when adefining polynomial of a finite field GF(2^(n)) is expressed as${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{t}\quad x^{k_{i}}} + 1}$ wheren is odd, and the element A contained in the finite field is expressedas A=(a₀,a₁,a₂, . . . ,a_(n−1))∈GF(2^(n)), the method comprising:determining predefined coefficients m_(i), I_(ij), V₀, V_(ij), and V,such that the coefficient m_(i) satisfies a predetermined condition withrespect to k_(i) when 0≦i≦t is a natural number, the coefficient I_(ij)depends on n, k_(i), and j when 2≦j≦m_(i), the coefficients V₀ andV_(ij) of n bits, respectively, depend on n, I_(ij), and k_(i), andobtaining the coefficient V with respect to m_(i) according to thefollowing formula; V_(i) = V_(i2) ⊕ V_(i3) ⊕ ⋯ ⊕ V_(im_(i))${V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 0}V_{i}}}};$ determining apredefined coefficient s_(i) according to k_(i) and n and cyclicallyshifting the coefficient V by s_(i); performing XOR operations on thecyclically shifted coefficient V and the element A; and rewiring aresult of the XOR operations in a predefined order and outputtingresults of the squaring operation.
 2. The method of claim 1, wherein thecoefficient m_(i) satisfies the following formula with respect to k_(i)$\left\{ \begin{matrix}{m_{i} = 0} & {k_{i} = 1} \\{m_{i} = r} & {{\frac{{\left( {r - 2} \right)n} + 1}{r - 1} < k_{i} \leq \frac{{\left( {r - 1} \right)n} + 1}{r}},{r \geq 2}}\end{matrix} \right.$
 3. The method of claim 1, wherein the coefficientI_(ij) is determined by the following formula$l_{ij} = {\frac{n - 1}{2} - \left\lfloor {\left( {j - 1} \right)\frac{n - k_{i}}{2}} \right\rfloor}$4. The method of claim 1, wherein the coefficient V₀ is determined bythe following formula${V_{0} = \underset{\underset{n\quad{bits}}{︸}}{a_{\frac{n + 1}{2}}a_{\frac{n + 3}{2}}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}},$and the coefficient V_(ij) is determined by the following formula$V_{ij} = \underset{\underset{n\quad{bits}}{︸}}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}$when k_(i) is odd, or when k_(i) is even and j is odd, and thecoefficient V_(ij) is determined by the following formula$V_{ij} = {\underset{\underset{\frac{({n - 1})}{2}{bits}}{︸}}{0\quad\cdots\quad 0}\quad\underset{\underset{\frac{({n + 1})}{2}{bits}}{︸}}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\quad\cdots\quad a_{n - 1}\quad 00\quad\cdots\quad 0}}$when both k_(i) and j are even.
 5. The method of claim 1, wherein thecoefficient s_(i) is determined with respect to k_(i) and n by thefollowing formula $s_{i} = \left\{ {\begin{matrix}\frac{k_{i} + 1}{2} & {k_{i}\text{:odd}} \\\frac{k_{i} + 1 + n}{2} & {k_{i}\text{:even}}\end{matrix}.} \right.$
 6. The method of claim 1, wherein, when theresult C′ of the XOR operations is expressed as C′=c₀′c₁′ . . . c_(n−1)′and the square A² of the element A is expressed as A²=c₀c₁ . . .c_(n−1,) c_(i) is obtained according to the following formulac_(i)=c_(j)′(i≡2j mod n).
 7. An apparatus to perform a squaringoperation on an element A when a defining polynomial of a finite fieldGF(2^(n)) is expressed${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{i}x^{k_{i}}} + 1}$ where n isodd, and the element A of the finite field is expressed as A=(a₀,a₁,a₂,. . . ,a_(n−1))∈GF(2^(n)), the apparatus comprising: a coefficientcalculating unit, which calculates coefficients necessary for thesquaring operation by: determining predefined coefficients m_(i),I_(ij), V₀, V_(i), and V such that the coefficient m_(i) satisfies apredetermined condition with respect to k_(i) when 0≦i≦t is a naturalnumber, the coefficient I_(ij) depends on n, k_(i), and j when 2≦j≦m_(i), the coefficients V₀ and V_(ij) of n bits, respectively, dependon n, I_(ij), and k_(i), and obtaining the coefficient V with respect tom_(i) according to the following formula,V_(i) = V_(i2) ⊕ V_(i3) ⊕ ⋯ ⊕ V_(im_(i))${V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 0}V_{i}}}};$ determining apredefined coefficient s_(i) according to k_(i) and n and cyclicallyshifting the coefficient V by s_(i); an XOR operating unit, whichincludes a plurality of XOR gates and performs XOR operations on input Aaccording to results of the calculated coefficient; and a rewiring unit,which rewires outputs of the XOR operating unit in a predefined orderand outputs final results of the squaring operation.
 8. The apparatus ofclaim 7, wherein, when the output C′ of the XOR operating unit isexpressed as C′=c₀′c¹′ . . . c_(n−1)′, and a square, A² of the elementA, is expressed as A²=c₀c₁ . . . c_(n−1), the rewiring unit rewiresc_(i)′ with c_(i) according to the following formulac _(i) =c _(j)′(i≡2j mod n).
 9. A method to perform a squaring operationon an element A when a defining polynomial of a finite field GF(2^(n))is expressed as${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{i}x^{k_{i}}} + 1}$ where n iseven, and the element A of the finite field is expressed as A=(a₀,a₁,a₂,. . . ,a_(n−1))∈GF( 2 ^(n)), the method comprising: determiningpredefined coefficients m_(i), I_(ij), V₀, V_(ij), and V, such that thecoefficient m_(i) satisfies a predetermined condition with respect tok_(i) when 1≦i≦t is a natural number, the coefficient I_(ij) depends onn, k_(i), and j when 2≦j≦m_(i), the coefficients V₀ and V_(ij) of nbits, respectively, depend on n, I_(ij), and k_(i), and obtaining thecoefficient V with respect to m_(i) according to the following formula;$\begin{matrix}{V_{i} = {V_{i2} \oplus V_{i3} \oplus \cdots \oplus V_{{im}_{i}}}} \\{V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 1}^{\quad}\quad V_{i}}}}\end{matrix}$ determining a predefined coefficient s_(i) according tok_(i) and n and cyclically shifting the coefficient V by s_(i) accordingto a predetermined formula; obtaining an element from the element{overscore (A)} and performing XOR operations on the cyclically shiftedcoefficient V with the element {overscore (A)}; and rewiring a result ofthe XOR operations in a predefined order and outputting results of thesquaring operation.
 10. The method of claim 9, wherein the coefficientm_(i) is determined with respect to k_(i) to satisfy the followingformula $\left\{ {\begin{matrix}{m_{i} = 1} & {k_{i} = 1} \\{m_{i} = r} & {{\frac{{\left( {r - 2} \right)n} + 1}{r - 1} < k_{i} \leq \frac{{\left( {r - 1} \right)n} + 1}{r}},{r \geq 2}}\end{matrix}.} \right.$
 11. The method of claim 9, wherein thecoefficient I_(ij) is determined by the following formula$l_{ij} = {\frac{n}{2} - {\left( {j - 1} \right)\frac{n}{2}} + {\left\lfloor {\left( {j - 1} \right)\frac{k_{i}}{2}} \right\rfloor.}}$12. The method of claim 9, wherein the coefficient V₀ is determined bythe following formul${V_{0} = \underset{\underset{n\quad{bits}}{︸}}{a_{n - \frac{n}{2}}a_{n - \frac{n}{2} + 1}\ldots\quad a_{n - 1}00{\cdots 0}}},$and the coefficient V_(ij) is determined by the following formula$V_{ij} = \underset{\underset{n\quad{bits}}{︸}}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\ldots\quad a_{n - 1}00{\cdots 0}}$when k_(i) is even, or when both k_(i) and j are odd, and thecoefficient V_(ij) is determined by the following formula$V_{ij} = {\underset{\underset{\frac{n}{2}\quad{bits}}{︸}}{0{\cdots 0}}\underset{\underset{\frac{n}{2}\quad{bits}}{︸}}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\ldots\quad a_{n - 1}00{\cdots 0}}}$when k_(i) is odd and j is even.
 13. The method of claim 9, wherein thecoefficient s_(i) is determined with respect to k_(i) and n by thefollowing formula $s_{i} = \left\{ {\begin{matrix}\frac{n + k_{i} - 1}{2} & {k_{i}\text{:}\quad{odd}} \\\frac{k_{i}}{2} & {k_{i}\text{:}\quad{even}}\end{matrix}.} \right.$
 14. The method of claim 9, wherein the shiftoperation is carried out with respect to the element A according to thefollowing formula${{{a_{0}\cdots\quad a_{\frac{n}{2} - 1}a_{\frac{n}{2}}\cdots\quad a_{n - 1}}\overset{\_}{}}s}\quad = \left\{ \begin{matrix}{{a_{\frac{n}{2} - 5}\quad\ldots\quad a_{\frac{n}{2} - 1}a_{0}\quad\ldots\quad a_{\frac{n}{2} - s - 1}a_{n - s}\quad\ldots\quad a_{n - 1}a_{\frac{n}{2}}\quad\ldots\quad a_{n - s - 1}}\quad} & {s \leq {\frac{n}{2} - 1}} \\{a_{n - s - 1}\quad\ldots\quad a_{n - 1}a_{\frac{n}{2}}\ldots\quad a_{n - s + \frac{n}{2} - 2}a_{\frac{n}{2} - s + \frac{n}{2}}\ldots\quad a_{\frac{n}{2} - 1}a_{0}\quad\ldots\quad a_{\frac{n}{2} - s + \frac{n}{2} - 1}} & {s \geq \frac{n}{2}}\end{matrix} \right.$ where the shift operation is represented by{overscore (>>)}.
 15. The method of claim 9, wherein the element{overscore (A)} is determined by the following formula$\overset{\_}{A} = {\underset{\underset{n\quad{bit}}{︸}}{\left( {a_{0} \oplus a_{\frac{n}{2}}} \right)\left( {a_{1} \oplus a_{\frac{n}{2} + 1}} \right){\ldots\left( {a_{\frac{n}{2} - 1} \oplus a_{n - 1}} \right)}0{\cdots 0}}.}$16. The method of claim 9, wherein, when the result C′ of the XORoperation is expressed as C′=c₀′c₁′ . . . c_(n−1)′ and the square A² ofthe element A is expressed as A²=c₀c₁ . . . c_(n−1), c_(i) is obtainedaccording to the following formula $c_{i} = \left\{ \begin{matrix}c_{j}^{\prime} & \left( {{i \equiv {2j}},{j \leq {\frac{n}{2} - 1}}} \right) \\c_{j}^{\prime} & {\left( {{i = {{2j} - n + 1}},{j \geq \frac{n}{2}}} \right).}\end{matrix} \right.$
 17. An apparatus performs a squaring operation onan element A when a defining polynomial of a finite field GF(2^(n)) isexpressed as ${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{i}x^{k_{i}}} + 1}$where n is even, and the element A of the finite field is expressed asA=(a₀,a₁,a₂, . . . ,a_(n−1))∈GF(2^(n)), the apparatus comprising: acoefficient calculating unit, which calculates coefficients necessaryfor the squaring operation by: determining predefined coefficientsm_(i), I_(ij), V₀, V_(ij), and V such that the coefficient m satisfies apredetermined condition with respect to k_(i) when 1≦i≦t is a naturalnumber, the coefficient I_(ij) depends on n, k_(i), and j when2≦j≦m_(i), the coefficients V₀ and V_(ij) of n bits, respectively,depend on n, I_(ij), and k_(i), and obtaining the coefficient V withrespect to m_(i) according to the following formula,${V_{i} = {V_{i2} \oplus V_{i3} \oplus \cdots \oplus V_{i\quad m}}},{{V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 0}V_{i}}}};}$determining a predefined coefficient s_(i) according to k_(i) and n andcyclically shifting the coefficient V by s_(i) according to a firstpredetermined formula; an XOR operating unit, which includes a pluralityof XOR gates, and which obtains an element {overscore (A)} from theinput element A according to a second predetermined formula, andperforms XOR operations on results of the cyclic shift operationreceived from the coefficient calculating unit with the element{overscore (A)}; and a rewiring unit, which rewires an output C′ of theXOR operating unit and outputs final results of the squaring operation.18. The apparatus of claim 17, wherein the second predetermined formulais defined as$\overset{\_}{A} = {\underset{n\quad{bits}}{\underset{︸}{\left( {a_{0} \oplus a_{\frac{n}{2}}} \right)\left( {a_{1} \oplus a_{\frac{n}{2} + 1}} \right)\quad\cdots\quad\left( {a_{\frac{n}{2} - 1} \oplus a_{n - 1}} \right)0\quad\cdots\quad 0}}.}$19. The apparatus of claim 17, wherein when the output C′ of the XORoperating unit is expressed as C′=c₀′c₁′ . . . c_(n−1)′ and a square,A², of the element A, is expressed as A²=c₀c₁ . . . c_(n−1), therewiring unit rewires c_(j)′ with c_(i) according to the followingformula $c_{i} = \left\{ {\begin{matrix}c_{j}^{\prime} & \left( {{i \equiv {2j}},{j \leq {\frac{n}{2} - 1}}} \right) \\c_{j}^{\prime} & \left( {{i = {{2j} - n + 1}},{j \geq \frac{n}{2}}} \right)\end{matrix}.} \right.$
 20. A method to perform a squaring operation onan element A when a defining polynomial of a finite field GF(2 ^(n)) isexpressed as${{f(x)} = {x^{n} + {\sum\limits_{i = 1}^{i}x^{k_{i}}} + 1}},$ and theelement A of the finite field is expressed as A=(A₀,a₁,a₂, . . .a_(n−1))∈GF(2^(n)), the method comprising: determining predefinedcoefficients m_(i), I_(ij), V₀, V_(ij), and V, such that when m is odd,the coefficient m_(i) satisfies a second predetermined condition withrespect to k_(i) when 0≦i≦t is a natural number, and when m is even, thecoefficient m_(i) satisfies a second predetermined condition withrespect to k_(i) when 1≦i≦t is a natural number, the coefficient I_(ij)depends on n, k_(i), and j when 2≦j≦m_(i), the coefficients V₀ andV_(ij) of n bits, respectively, depend on n, I_(ij), and k_(i); when nis odd, obtaining the coefficient V with respect to m_(i) according tothe following formula${V_{i} = {V_{i2} \oplus V_{i3} \oplus \cdots \oplus V_{i\quad m}}},{{V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 0}V_{i}}}};}$when n is even, obtaining the coefficient V with respect to m_(i)according to the following formula${V_{i} = {V_{i2} \oplus V_{i3} \oplus \cdots \oplus V_{i\quad m}}},{{V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 1}V_{i}}}};}$determining a predetermined coefficient s_(i) according to k_(i) and nand cyclically shifting the coefficient V by s_(i); when n is odd,performing XOR operations on the cyclically shifted coefficient V andthe element A; when n is even obtaining an element {overscore (A)} fromthe element A and performing XOR operations on the cyclically shiftedcoefficient V with the element {overscore (A)}; and rewiring a result ofthe XOR operations in a predetermined order and outputting results ofthe squaring operation.
 21. The method according to claim 20, whereinthe coefficient m_(i) is determined with respect to k_(i) to satisfy thefollowing formula${\frac{{\left( {r - 2} \right)n} + 1}{r - 1} < k_{i} \leq \frac{{\left( {r - 1} \right)n} + 1}{r}},{r \geq 2}$when m_(i)=r when n is odd and m_(i)=0 k_(i)=1 when n is even andm_(i)=1 k_(i)=1.
 22. The method according to claim 20, wherein thecoefficient I_(ij) is determined by the following formulas$l_{ij} = {\frac{n - 1}{2} - {\left\lfloor {\left( {j - 1} \right)\frac{n - k_{i}}{2}} \right\rfloor.}}$when n is odd$l_{ij} = {\frac{n}{2} - {\left( {j - 1} \right)\frac{n}{2}} + {\left\lfloor {\left( {j - 1} \right)\frac{k_{i}}{2}} \right\rfloor.}}$when n is even
 23. The method according to claim 20, wherein: when n isodd the coefficient V₀ is determined by the following formula${V_{0} = \underset{n\quad{bits}}{\underset{︸}{a_{\frac{n + 1}{2}}a_{\frac{n + 3}{2}}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}}},$when one of k_(i) is odd, and k_(i) is even and j is odd, thecoefficient V_(ij) is determined by the following formula${V_{ij} = \underset{n\quad{bits}}{\underset{︸}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}}},$and when both k_(i) and j are even, the coefficient V_(ij) is determinedby the following formula${V_{ij} = {\underset{\frac{({n - 1})}{2}{bits}}{\underset{︸}{0\quad\cdots\quad 0}}\underset{\frac{({n + 1})}{2}{bits}}{\quad\underset{︸}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}}}};$and when n is even the coefficient V₀ is determined by the followingformula${V_{0} = \underset{n\quad{bits}}{\underset{︸}{a_{n - \frac{n}{2}}a_{n - \frac{n}{2} + 1}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}}},$when k_(i) is even, or when both k_(i) and j are odd, the coefficientV_(ij) is determined by the following formula${V_{ij} = \underset{n\quad{bits}}{\underset{︸}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}}},$and when k_(i) is odd and j is even, the coefficient V_(ij) isdetermined by the following formula$V_{ij} = {\underset{\frac{n}{2}{bits}}{\underset{︸}{0\quad\cdots\quad 0}}\quad{\underset{\frac{n}{2}{bits}}{\underset{︸}{a_{n - l_{ij}}a_{n - l_{ij} + 1}\quad\cdots\quad a_{n - 1}00\quad\cdots\quad 0}}.}}$24. The method according to claim 20, wherein: when n is odd, thecoefficient s_(i) is determined with respect to k_(i) and n by thefollowing formula $s_{i} = \left\{ {\begin{matrix}\frac{k_{i} + 1}{2} & {k_{i}\text{:odd}} \\\frac{k_{i} + 1 + n}{2} & {k_{i}\text{:even}}\end{matrix};} \right.$ and when n is even, the coefficient s_(i) isdetermined with respect to k_(i) and n by the following formula$s_{i} = \left\{ {\begin{matrix}\frac{n + k_{i} - 1}{2} & {k_{i}\text{:odd}} \\\frac{k_{i}}{2} & {k_{i}\text{:even}}\end{matrix}.} \right.$
 25. The method according to claim 20, whereinwhen n is even, the shift operation is carried out with respect to theelement A according to the following formula${{a_{0}\quad\cdots\quad a_{\frac{n}{2} - 1}a_{\frac{n}{2}}\quad\cdots\quad a_{n - 1}}\overset{\_}{⪢}s} = \left\{ \begin{matrix}{a_{\frac{n}{2} - 5}\quad\cdots\quad a_{\frac{n}{2} - 1}a_{0}\quad\cdots\quad a_{\frac{n}{2} - 5 - 1}a_{n - 5}\quad\cdots\quad a_{n - 1}a_{\frac{n}{2}}\quad\cdots\quad a_{n - 5 - 1}} & {s \leq {\frac{n}{2} - 1}} \\{a_{n - 5 - 1}\quad\cdots\quad a_{n - 1}a_{\frac{n}{2}}\quad\cdots\quad a_{n - 5 + \frac{n}{2} - 2}a_{\frac{n}{2} - 5 + \frac{n}{2}}\quad\cdots\quad a_{\frac{n}{2} - 1}a_{0}\quad\cdots\quad a_{\frac{n}{2} - 5 + \frac{n}{2} - 1}} & {s \geq \frac{n}{2}}\end{matrix} \right.$ where the shift operation is represented by{overscore (>>)}.
 26. The method according to claim 20, wherein theelement {overscore (A)} is determined by the following formula$\overset{\_}{A} = {\underset{n\quad{bit}}{\underset{︸}{\left( {a_{0} \oplus a_{\frac{n}{2}}} \right)\left( {a_{1} \oplus a_{\frac{n}{2} + 1}} \right)\quad\cdots\quad\left( {a_{\frac{n}{2} - 1} \oplus a_{n - 1}} \right)0\quad\cdots\quad 0}}.}$27. The method according to claim 20, wherein when the result C′ of theXOR operations is expressed as C′=c₀′c₁′ . . . c_(n−1)′ and the squareA² of the element A is expressed as A²=c₀c₁ . . . c_(n−1), c_(i) isobtained according to the following formulas: when n is odd,c_(i)=c_(j)′(i≡2j mod n); and when n is even,$c_{i} = \left\{ {\begin{matrix}c_{j}^{\prime} & \left( {{i \equiv {2j}},{j \leq {\frac{n}{2} - 1}}} \right) \\c_{j}^{\prime} & \left( {{i = {{2j} - n + 1}},{j \geq \frac{n}{2}}} \right)\end{matrix}.} \right.$
 28. An apparatus to perform a squaring operationon an element A when a defining polynomial of a finite field GF(2^(n))is expressed as${f(x)} = {x^{n} + {\sum\limits_{i = 1}^{t}x^{k_{i}}} + 1}$ where n iseven, and the element A of the finite field is expressed as A=(a₀,a₁,a₂,. . . ,a_(n−1))∈GF(2^(n)), the apparatus comprising: a coefficientcalculating unit, which calculates coefficients necessary for thesquaring operation by: determining predetermined coefficients m_(i),I_(ij), V₀, V_(ij), and V such that when m is odd, the coefficient m_(i)satisfies a second predetermined condition with respect to k_(i) when0≦i≦t is a natural number, and when m is even, the coefficient m_(i)satisfies a second predetermined condition with respect to k_(i) when1≦i≦t is a natural number, the coefficient I_(ij) depends on n, k_(i),and j when 2≦j≦m_(i), the coefficients V₀ and V_(ij) of n bits,respectively, depend on n, I_(ij), and k_(i); when n is odd, obtainingthe coefficient V with respect to m_(i) according to the followingformula $\begin{matrix}{{V_{i} = {V_{i2} \oplus V_{i3} \oplus \ldots \oplus V_{im}}},} \\{{V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 0}^{\quad}V_{i}}}};}\end{matrix}$ when n is even, obtaining the coefficient V with respectto m_(i) according to the following formula $\begin{matrix}{{V_{i} = {V_{i2} \oplus V_{i3} \oplus \ldots \oplus V_{im}}},} \\{{V = {V_{0} \oplus {\sum\limits_{m_{i} \neq 1}^{\quad}V_{i}}}};}\end{matrix}$ determining a predetermined coefficient s_(i) according tok_(i) and n and cyclically shifting the coefficient V by s_(i); an XORoperating unit, which includes a plurality of XOR gates, and that when nis odd, performs XOR operations on input A according to results of thecoefficient calculating, and when n is even, obtains an element{overscore (A)} from the input element A according to a predeterminedformula, and performs XOR operations on results of the cyclic shiftoperation received from the coefficient calculating unit with theelement {overscore (A)}; and a rewiring unit, which when n is odd,rewires outputs of the XOR operating unit in a predetermined order andoutputs final results of the squaring operation, and when n is even,rewires an output C′ of the XOR operating unit and outputs final resultsof the squaring operation.
 29. The apparatus according to claim 28,wherein, when the output C′ of the XOR operating unit is expressed asC′=c₀′c₁′ . . . c_(n−1)′, and the square, A², of the element A, isexpressed as A²=c₀c₁ . . . c_(n−1), the rewiring unit rewires c_(j)′with c_(i) according to the following formulas when n is odd,c_(i)=c_(j)′(i≡2j mod n), and $c_{i} = \left\{ {\begin{matrix}c_{j}^{\prime} & \left( {{i \equiv {2j}},{j \leq {\frac{n}{2} - 1}}} \right) \\c_{j}^{\prime} & \left( {{i = {{2j} - n + 1}},{j \geq \frac{n}{2}}} \right)\end{matrix}.} \right.$ when n is even,